Lightnews — Scholar-powered news

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

July 26, 2025 at 7:41 PM

Sam Stepanyan

@securestep9.bsky.social

#NPM package 'is' with 2.8M weekly
downloads was compromised and infected developers with malware:
#AppSec
#SoftwareSupplyChainSecurity
👇
www.bleepingcomputer.com/news/securit...

CISA tool aims to boost security for software onboarding

July 23, 2025 at 4:05 PM

John P. Mello Jr.

@jpmjr.bsky.social

CISA just dropped a new tool to help agencies manage software supply chain risks. It's a game-changer for cybersecurity, but not everyone agrees. #CISA #SoftwareSupplyChainSecurity #TPRSM #ProcurementTool jpmellojr.blogspot.com/2025/09/cisa...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new web-based tool that it says will beef up cybersecurity...

jpmellojr.blogspot.com

September 11, 2025 at 3:44 PM

Anchore

@anchore.com

Complex SBOM integration? Anchore Enterprise makes it effortless with automation, compliance, and developer-friendly tools.

Read our blog: https://anchore.com/blog/effortless-sbom-analysis-how-anchore-enterprise-simplifies-integration/

#SBOM #DevSecOps #SoftwareSupplyChainSecurity

March 6, 2025 at 6:04 PM

Finite State

@finite-state.bsky.social

We're honored to be featured in Omdia’s latest report spotlighting the leaders in firmware & #SoftwareSupplyChainSecurity 🎉

Read the full report to explore what sets us apart 👉 omdia.tech.informa.com/om129716/omd...

#ProductSecurity #SBOM #IoTSecurity #FirmwareSecurity #Omdia

Omdia Market Radar: Firmware and Software Supply Chain Security, 2025

In this Market Radar, Omdia explores the firmware and software supply chain security (SSCS) market, comparing different vendor capabilities in the category.

omdia.tech.informa.com

May 20, 2025 at 5:54 PM

ReversingLabs

@reversinglabs.com

🎉 Exciting news: RL has won the ISG Information Technology Award! #Cybersecurity #IT #SoftwareSupplyChainSecurity

September 29, 2025 at 7:11 PM

ReversingLabs

@reversinglabs.com

Here's what your #AppSec team needs know about the EU Vulnerability Database (#EUVD) — & how it aims to fill gaps from the #NVD & #CVE. #SoftwareSupplyChainSecurity www.reversinglabs.com/blog/euvd-vu...

Europe's EUVD could shake up the vulnerability database ecosystem

EU steps up to fill gaps from the US NVD and CVE. Here's what you need to know — and why you need to think beyond vulnerabilities.

2025 cloud-native cybersecurity predictions | TechTarget

July 2, 2025 at 2:28 PM

Melinda Marks

@melindamarks.bsky.social

Wondering what's in store for 2025 for cloud-native security? Here are my predictions, including vendors addressing key areas
#cloudsecurity #devsecops #genAIsecurity #appsec #applicationsecurity #ASPM #CNAPP #riskmanagement #remediation #softwaresupplychainsecurity #vulnerabilitymanagement

From increased investments in cloud security to GenAI, IAM and tool consolidation, read the top cloud-native security predictions for 2025.

www.techtarget.com

January 3, 2025 at 5:26 PM

Kadi (Grigg) McKean

@kadigrigg.bsky.social

Spectra Assure SAFE Levels apply a systematic, yet customizable approach for benchmarking the level of commercial #SoftwareSupplyChainSecurity #SoftwareEngineer #AppSec www.reversinglabs.com/blog/gauging...

Gauging the Safety Level of Your Software with Spectra Assure

Quickly understand the current level of software safety, which threats require immediate action, and how the other risks and exposures can be addressed over time.

SAFE and Trusted: Why the Spectra Assure Community Badge Belongs on Your Open Source Project

December 2, 2024 at 6:20 PM

ReversingLabs

@reversinglabs.com

If you're proud of your #SoftwareSupplyChainSecurity standards, put the Spectra Assure Community Badge®️ front & center on your #OSS project. Show the world you're not messing around.👇 #Dev #GitHub #PyPI #npm www.reversinglabs.com/blog/safe-an...

The new badge from ReversingLabs is the ultimate stamp of trust for your software supply chain.

3CX’s Software Supply Chain Compromise: Lessons Learned

June 27, 2025 at 1:36 PM

ReversingLabs

@reversinglabs.com

💪 After a major supply chain compromise, #3CX remade it's software development process & CI/CD pipeline to strengthen its published code. Learn from their journey.👇 #AppSec #SoftwareSupplyChainSecurity #Dev www.reversinglabs.com/blog/lessons...

3CX has transformed its software security in the two years since a damaging compromise — and RL was there to help. Here are key takeaways.

Hidden threats lurk in commercial software: How to manage risk

July 7, 2025 at 7:16 PM

ReversingLabs

@reversinglabs.com

👀 New report from RL: While #OSS risks are not going away, attack trends show third-party commercial software presents the greatest risk to the enterprise. Learn more: www.reversinglabs.com/blog/hidden-...

#SoftwareSupplyChainSecurity #AppSec #DevSecOps #Dev

While open-source software risks are not going away, attack trends show third-party software presents the greatest risk to the enterprise.

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

March 13, 2025 at 12:35 PM

Sam Stepanyan

@securestep9.bsky.social

#NPM: Attackers have hijacked and injected malware into 18 popular NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack:

#SoftwareSupplyChainSecurity
👇

In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

‘The Immutable Laws of Security’ at 25: 5 corollaries for a new era | ReversingLabs

September 8, 2025 at 8:24 PM

Anchore

@anchore.com

SBOM sprawl blocking your security gains? Discover how to centralize and operationalize SBOMs for faster zero-day response and better compliance.

Read m... https://anchore.com/blog/sbom-management-how-to-tackle-sprawl-and-secure-your-supply-chain/

#SBOM #SoftwareSupplyChainSecurity #SBOMManagement

February 10, 2025 at 10:01 PM

ReversingLabs

@reversinglabs.com

25 years ago, Scott Culp published The Immutable Laws of Security, written in the era of the ILOVEYOU worm. But do the laws still hold up for #SoftwareSupplyChainSecurity? https://bit.ly/4oFJ5CB #Cybersecurity

Scott Culp’s formulation still holds true — though some additions are needed that account for software supply chain security.

How PowerShell Gallery simplifies supply chain attacks | ReversingLabs

August 20, 2025 at 5:22 PM

ReversingLabs

@reversinglabs.com

⚠️ RL researchers have observed an attack vector on #PowerShell known as command hijacking that enables clobbering: https://bit.ly/3X7Ct38

#OpenSource #SoftwareSupplyChainSecurity

The automation tool's Install-Module command presents threat actors with one key link in the kill chain of a possible attack.

Software liability gets real: 5 ways to get ahead of the EU's new directive

November 4, 2025 at 3:50 PM

Anchore

@anchore.com

The FAR Council is poised to update software contracts: machine-readable SSDF attestations, compliance artifacts, & more. Get the lowdown on the 2025 Cybersecurity EO & how to prepare. ➡️ https://anchore.com/blog/2025-cybersecurity-executive-order/

#SSDF #Compliance #SoftwareSupplyChainSecurity

February 4, 2025 at 4:04 AM

Anchore

@anchore.com

📢 DORA is here. Compliance isn't optional.

Learn how SBOMs help financial institutions track third-party libraries and secure their software supply chains: https://anchore.com/blog/dora-overview/

#dora #sbom #compliance #softwaresupplychainsecurity

February 17, 2025 at 8:02 PM

Kadi (Grigg) McKean

@kadigrigg.bsky.social

The EU's Product Liability Directive could have far-reaching effects on U.S. companies that develop for or supply software to the #EU market. Here are 5 ways to get ahead of it. #Compliance #SoftwareSupplyChainSecurity www.reversinglabs.com/blog/softwar...

Here's what your organization needs to know about the Product Liability Directive — and how to avoid any slip-ups.

Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

December 31, 2024 at 5:36 PM

Sam Stepanyan

@securestep9.bsky.social

#PyPI: 20 Malicious Python PyPI Packages Stole Cloud Tokens - Over 14,100 Downloads Before Removal:
#SoftwareSupplyChainSecurity
👇
thehackernews.com/2025/03/mali...

Researchers uncovered 20 malicious PyPI packages stealing cloud credentials, downloaded 14,100+ times before removal.

thehackernews.com

March 17, 2025 at 12:48 AM

Sam Stepanyan

@securestep9.bsky.social

#Solana JavaScript SDK was temporarily compromised yesterday in a supply chain attack, with the Web3.js library backdoored with malicious code to steal cryptocurrency private keys and drain wallets:
#SoftwareSupplyChainSecurity

www.bleepingcomputer.com/news/securit...

Solana Web3.js library backdoored to steal secret, private keys

The legitimate Solana JavaScript SDK was temporarily compromised yesterday in a supply chain attack, with the library backdoored with malicious code to steal cryptocurrency private keys and drain wall...

On Demand: Manifest Misconceptions-Closing the Gaps in SCA-Based SBOMs

December 4, 2024 at 8:20 PM

ReversingLabs

@reversinglabs.com

🎙️ The 2020 attack on #SolarWinds served as a wake-up call to take #SoftwareSupplyChainSecurity seriously. Watch the webinar now to learn how your organization can step up its #SBOM game: bit.ly/3ZYaQLZ

Most SBOMs miss nearly 50% of components. Learn why and how binary analysis closes the gap for better security, compliance & supply chain visibility.

How AWS averted an AI coding supply chain disaster | ReversingLabs

July 17, 2025 at 1:01 PM

ReversingLabs

@reversinglabs.com

👇 Here are 6 lessons learned from the near-miss that was the Amazon Q Developer incident. Don't let luck be your #AICoding security strategy: https://bit.ly/4n5xlrs #AWS #Dev #SoftwareSupplyChainSecurity

Here are six lessons learned from the near-miss that was the Amazon Q Developer incident. Don't let luck be your security strategy.